Hello netsniff-ng team, I'd like to use netsniff-ng to replace daemonlogger in my Security Onion distribution: http://securityonion.blogspot.com
So far, I've got netsniff-ng 0.5.7 packaged in our Ubuntu Launchpad PPA: https://launchpad.net/~securityonion/+archive/test/+sourcepub/2761680/+listing-archive-extra Now I need to update our scripts to run netsniff-ng with the same specifications as daemonlogger. We currently run daemonlogger as follows: daemonlogger -u sguil -g sguil -i $INTERFACE -f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf -l /nsm/sensor_data/$HOSTNAME-$INTERFACE/dailylogs/$DATE -n snort.log -s 134217728 Let's look at each of these options: -u sguil -g sguil According to the netsniff-ng FAQ, netsniff-ng must be run as root, so this is not possible. -i $INTERFACE This should be the same option in netsniff-ng. -f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf This should be the same option in netsniff-ng, but my understanding is that I'll need to convert my "human-readable" bpf-pcap.conf using "tcpdump -dd"? -l /nsm/sensor_data/$HOSTNAME-$INTERFACE/dailylogs/$DATE In netsniff-ng, looks like I'll use the -o option to specify the output directory. -n snort.log This makes daemonlogger name the files in the output directory snort.log.$TIMESTAMP. Is there an equivalent option in netsniff-ng? -s 134217728 This configures daemonlogger to rotate to a new pcap file when it reaches 129MB. Is there an equivalent option in netsniff-ng? Thanks in advance for any assistance! -- Doug Burks http://securityonion.blogspot.com --
